Full Report
Decentralized finance platform Cork Protocol paused trading and launched an investigation after millions of dollars' worth of Ethereum were lost in a "security incident."
Analysis Summary
# Incident Report: Cork Protocol Cryptocurrency Heist
## Executive Summary
On May 28th, 2025, the decentralized finance (DeFi) platform Cork Protocol suffered a security incident resulting in the theft of approximately $12.1 million worth of cryptocurrency (4,530 ETH). The attack specifically targeted the wstETH:weETH market, causing the company to immediately pause all other platform markets as a precautionary measure. The exact vector and detailed methodology remain under investigation by the company.
## Incident Details
- **Discovery Date:** May 28th, 2025 (Reported at 11:23 UTC)
- **Incident Date:** May 28th, 2025 (Attack occurred around 11:23 UTC)
- **Affected Organization:** Cork Protocol
- **Sector:** Decentralized Finance (DeFi) / Cryptocurrency
- **Geography:** Based in Delaware (Location of attack impact is decentralized/on the blockchain)
## Timeline of Events
### Initial Access
- **Date/Time:** May 28th, 2025, 11:23 UTC
- **Vector:** Exploitation of a vulnerability within the wstETH:weETH market smart contract. (Specific technical vector not detailed in the source)
- **Details:** Hackers successfully drained the specified market.
### Lateral Movement
- Not applicable/Not detailed in source, as this was a direct exploit of a protocol smart contract leading to asset draining, rather than network intrusion within corporate infrastructure.
### Data Exfiltration/Impact
- **What was stolen or damaged:** 4,530 ETH, valued at approximately $12.1 million at the time of the theft.
### Detection & Response
- **How it was discovered:** The incident was detected when the security breach occurred, leading to the immediate public acknowledgment by co-founder Phil Fogel.
- **Response actions taken:** All activity on the platform was paused; all other Cork markets were paused as a precaution. The company initiated an active investigation.
## Attack Methodology
- **Initial Access:** Exploitation of a vulnerability within the **wstETH:weETH market** (likely a flash loan attack or logical flaw exploitation common in DeFi).
- **Persistence:** N/A (Likely a one-time withdrawal/drain event).
- **Privilege Escalation:** N/A (Likely exploiting contract permissions/logic).
- **Defense Evasion:** N/A (Attack occurred at the smart contract execution level).
- **Credential Access:** N/A
- **Discovery:** N/A
- **Lateral Movement:** N/A
- **Collection:** The stolen ETH was exfiltrated from the affected market pool.
- **Exfiltration:** Transfer of 4,530 $\text{ETH}$ out of the protocol's hot/operational wallet addresses (implied by analysis from security firms like PeckShield).
- **Impact:** Direct financial loss to the protocol/users.
## Impact Assessment
- **Financial:** Loss of over $12 million (4,530 $\text{ETH}$).
- **Data Breach:** No specific user PII data breach confirmed, but user funds were compromised.
- **Operational:** All activity on the platform was paused immediately following the incident.
- **Reputational:** Significant reputational damage to the DeFi platform, occurring shortly after other major crypto platform thefts.
## Indicators of Compromise
- **Network indicators - defanged:** Unknown/Not disclosed.
- **File indicators:** None applicable (Smart Contract/On-Chain incident).
- **Behavioral indicators:** Unauthorized withdrawal of 4,530 $\text{ETH}$ from the Cork Protocol **wstETH:weETH market** smart contract address. (Etherscan link noted in source: `0x\text{ea6f30e360192bae715599e15e2f765b49e4da98}`).
## Response Actions
- **Containment measures:** Immediate pausing of all activity on the platform, including the affected $\text{wstETH:weETH}$ market and all other ancillary markets.
- **Eradication steps:** Active investigation commenced (details of technical remediation unknown).
- **Recovery actions:** Providing updates as more details become available (no user/fund recovery steps specified yet).
## Lessons Learned
- The DeFi space remains highly susceptible to exploits targeting specific market contracts, even for protocols supporting financial instruments like "depeg risk" hedging.
- The necessity for immediate service interruption upon detection to limit financial exposure.
- The critical nature of continuous third-party auditing, especially given the platform's focus on complex derivatives/hedging mechanisms.
## Recommendations
- Implement robust, real-time monitoring for anomalous function calls or large withdrawals on critical DeFi pools.
- Conduct comprehensive formal verification and audits specifically targeting "depeg" risk parameters and oracle interactions.
- Establish a clear, pre-communicated plan for freezing assets and informing users immediately following fund drain events to minimize panic and further loss.